Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win4922.htm

Citrix client - arbitrary remote command execution on Citrix client computer



14th Dec 2001 [SBWID-4922]
COMMAND

	arbitrary remote command execution on Citrix client computer

SYSTEMS AFFECTED

	 Citrix ICA client 6.01, on windows 2000 SP2

	 Macintosh clients seems to be unaffected.

PROBLEM

	Michiel  Kikkert  published  in  a  Kikkert  Security  Advisory  a   bug
	regarding  Citrix  client,  allowing  malicious  webmasters  to  execute
	arbitrary commands on visitors computers, if  they  have  citrix  client
	installed - and ica port (1494) open.
	

	When a user has Citrix Client installed and has therefore  an  extension
	mapping for .ICA files, the user will NOT be warned when downloading  an
	.ica file. The user is NOT asked to open or download the file,  the  ica
	file will just activate the Citrix client and a connection to  a  remote
	server can be made.
	

	result of this is that any malicious website owner  (with  access  to  a
	Citrix terminal server) can  place  trojan  code  on  a  client  machine
	without consent of the client.
	

	I created a working demo in the form of a webpage which simply  contains
	an Iframe (could also be a hidden frame):
	

	

	<iframe src=\"trojan.ica\"></iframe>

	

	

	Trojan.ica will connect to a published application (hosted on  a  Citrix
	Metaframe XP server) without first asking the user and  place  a  (fake)
	trojan file on the clients\' hard drive. The  published  application  is
	simply a  VBS  script  that  copies  the  trojan  file  from  the  local
	(terminal server\'s) hard drive to the (mapped) client drive. After  the
	script ran, the connection to the remote  server  will  be  broken.  The
	client is not in any way warned or promted that  the  remote  server  is
	writing anything to the clients hard drive. Strange enough, the  activeX
	client I tested DOES ask the user for permission  before  the  published
	application can write to the client drive, this is  in  my  opinion  the
	way it should work. Just to make it clear, the malicious  website  owner
	can not only write to the  client,  he  can  also  retrieve  a  complete
	listing of any file on the machine or copy any  file/document  from  the
	client\'s machine.

SOLUTION

	Possible fixes (as given by Citrix):
	

	* The Citrix ICA Clients for Apple Macintosh and for Unix have  explicit
	drive mapping dialogs which  control  client  drive  mapping,  and  also
	allow read/write  selection.  Therefore,  these  clients  will  only  be
	attacked if such drive mappings are configured.
	

	* When using the ICA Client for Java,  you  can  set  Java  security  to
	prevent file  access  by  Java  applications.  This  will  prevent  disk
	access.
	

	* Client Drive Mapping can be  disabled  in  APPSRV.INI  by  adding  the
	setting: CDMAllowed=Off
	 - Bit of a drastic solution, as this just disables the feature.

	

	* In Internet Explorer, the File Download permission  can  be  disabled.
	This would avoid the exploit in the form described.
	 - But would still be exploitable via email client

	

	And a Microsoft\'s recommended workaround for Outlook:
	

	it\'s possible to configure the OESU (Outlook Security Update) to  block
	additional file types, including .ICA.
	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH